fix(backend): Reject OAuth JWTs for session token token type

wobsoriano · wobsoriano · commit af9df3e13498 · 2026-02-04T11:53:25.000-08:00
diff --git a/packages/backend/src/tokens/__tests__/request.test.ts b/packages/backend/src/tokens/__tests__/request.test.ts
@@ -1496,6 +1496,73 @@ describe('tokens.authenticateRequest(options)', () => {
           isAuthenticated: false,
         });
       });
+
+      test('rejects OAuth JWT token when acceptsToken is session_token', async () => {
+        const request = mockRequest({ authorization: `Bearer ${mockTokens.oauth_token}` });
+        const result = await authenticateRequest(request, mockOptions({ acceptsToken: 'session_token' }));
+
+        expect(result).toBeSignedOut({
+          reason: AuthErrorReason.TokenTypeMismatch,
+          message: '',
+          tokenType: 'session_token',
+          isAuthenticated: false,
+        });
+        expect(result.toAuth()).toBeSignedOutToAuth();
+      });
+
+      test('rejects M2M token when acceptsToken is session_token', async () => {
+        const request = mockRequest({ authorization: `Bearer ${mockTokens.m2m_token}` });
+        const result = await authenticateRequest(request, mockOptions({ acceptsToken: 'session_token' }));
+
+        expect(result).toBeSignedOut({
+          reason: AuthErrorReason.TokenTypeMismatch,
+          message: '',
+          tokenType: 'session_token',
+          isAuthenticated: false,
+        });
+        expect(result.toAuth()).toBeSignedOutToAuth();
+      });
+
+      test('rejects API key when acceptsToken is session_token', async () => {
+        const request = mockRequest({ authorization: `Bearer ${mockTokens.api_key}` });
+        const result = await authenticateRequest(request, mockOptions({ acceptsToken: 'session_token' }));
+
+        expect(result).toBeSignedOut({
+          reason: AuthErrorReason.TokenTypeMismatch,
+          message: '',
+          tokenType: 'session_token',
+          isAuthenticated: false,
+        });
+        expect(result.toAuth()).toBeSignedOutToAuth();
+      });
+
+      test('accepts valid session token when acceptsToken is session_token', async () => {
+        server.use(
+          http.get('https://api.clerk.test/v1/jwks', () => {
+            return HttpResponse.json(mockJwks);
+          }),
+        );
+
+        const request = mockRequest({ authorization: `Bearer ${mockJwt}` });
+        const result = await authenticateRequest(request, mockOptions({ acceptsToken: 'session_token' }));
+
+        expect(result).toBeSignedIn();
+        expect(result.tokenType).toBe('session_token');
+      });
+
+      test('accepts OAuth JWT when acceptsToken is "any"', async () => {
+        server.use(
+          http.post(mockMachineAuthResponses.oauth_token.endpoint, () => {
+            return HttpResponse.json(mockVerificationResults.oauth_token);
+          }),
+        );
+
+        const request = mockRequest({ authorization: `Bearer ${mockTokens.oauth_token}` });
+        const result = await authenticateRequest(request, mockOptions({ acceptsToken: 'any' }));
+
+        expect(result).toBeMachineAuthenticated();
+        expect(result.tokenType).toBe('oauth_token');
+      });
     });
 
     describe('Array of Accepted Token Types', () => {
diff --git a/packages/backend/src/tokens/request.ts b/packages/backend/src/tokens/request.ts
@@ -411,6 +411,20 @@ export const authenticateRequest: AuthenticateRequest = (async (
   async function authenticateRequestWithTokenInHeader() {
     const { tokenInHeader } = authenticateContext;
 
+    // SECURITY: Reject machine tokens (M2M, OAuth, API keys) when expecting session tokens.
+    // OAuth JWTs (RFC 9068) are valid JWTs signed by Clerk and will pass verifyToken() verification,
+    // but they should not be accepted as session tokens. We must explicitly check the token type
+    // before verification to prevent machine tokens from being incorrectly authenticated as sessions.
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    if (isMachineToken(tokenInHeader!)) {
+      return signedOut({
+        tokenType: TokenType.SessionToken,
+        authenticateContext,
+        reason: AuthErrorReason.TokenTypeMismatch,
+        message: '',
+      });
+    }
+
     try {
       // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
       const { data, errors } = await verifyToken(tokenInHeader!, authenticateContext);
@@ -608,6 +622,19 @@ export const authenticateRequest: AuthenticateRequest = (async (
       return handleSessionTokenError(decodedErrors[0], 'cookie');
     }
 
+    // SECURITY: Defense-in-depth check to reject machine tokens in cookies.
+    // While machine tokens should only be in headers, this prevents potential security issues
+    // if a machine token somehow ends up in the session cookie.
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    if (isMachineToken(authenticateContext.sessionTokenInCookie!)) {
+      return signedOut({
+        tokenType: TokenType.SessionToken,
+        authenticateContext,
+        reason: AuthErrorReason.TokenTypeMismatch,
+        message: '',
+      });
+    }
+
     if (decodeResult.payload.iat < authenticateContext.clientUat) {
       return handleMaybeHandshakeStatus(authenticateContext, AuthErrorReason.SessionTokenIATBeforeClientUAT, '');
     }
